Detection rules › Sigma
Changing Existing Service ImagePath Value Via Reg.EXE
Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness |
| Privilege Escalation | T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness |
| Defense Evasion | T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
| Security-Auditing | 4688 | A new process has been created. |
Stages and Predicates
Stage 1: all of selection
CommandLine|contains: ' ImagePath '
CommandLine|contains: 'SYSTEM\CurrentControlSet\Services\'
CommandLine|contains: 'add '
Image|endswith: '\reg.exe'
Stage 2: all of selection_value
CommandLine|contains: ' -d '
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
CommandLine | match |
|
Image | ends_with |
|